Microsoft February 2026 Patch Tuesday: Outlook Zero-Day Exploited in the Wild

CVE-2026-0167: Outlook Remote Code Execution Zero-Day

CVE-2026-0167 is a use-after-free vulnerability in Microsoft Outlook's email rendering engine. When Outlook renders a specially crafted email message — including simply displaying it in the preview pane — the vulnerability can be triggered, allowing an attacker to execute arbitrary code with the privileges of the Outlook process (typically the logged-in user).

Key characteristics:

• CVSS Base Score: 8.8 (High)
• Authentication: None (email can be sent from any external address)
• User Interaction: Low (preview pane display is sufficient)
• Exploited in wild: Confirmed prior to February Patch Tuesday
• Affected versions: Outlook 2016, 2019, 2021, Microsoft 365 Apps for Enterprise (all channel versions prior to February update), Outlook for Windows
• Not affected: Outlook on the web (OWA), Outlook for Mac, Outlook for iOS/Android

Australian Targets: Who Has Been Hit

Microsoft's threat intelligence team and the ASD ACSC have both confirmed exploitation of CVE-2026-0167 against Australian targets. The known victim categories include:

• Law firms with significant practices in areas of interest to nation-state adversaries (mergers and acquisitions, government contracts, defence procurement)
• Federal government contractors, particularly those working on critical infrastructure and defence projects
• Professional services firms (accounting, consulting) with access to sensitive client financial and strategic information

The targeting profile is consistent with intelligence collection objectives of state-sponsored APT groups rather than financially motivated cybercriminals. The ASD has indicated that the campaign bears indicators consistent with Chinese APT activity, though formal attribution has not been publicly stated.

Other Notable February Vulnerabilities

• CVE-2026-0145 — Windows Kernel EoP (CVSS 7.8): Exploited in wild. Allows local privilege escalation from standard user to SYSTEM.
• CVE-2026-0189 — Windows SMB Server RCE (CVSS 8.1): Not yet exploited but proof-of-concept expected imminently.
• CVE-2026-0201 — Azure Active Directory RCE (CVSS 9.0): Critical cloud infrastructure vulnerability. Apply immediately to Azure environments.
• CVE-2026-0213 — Microsoft Edge Chromium RCE (CVSS 8.3): Browser-based code execution via malicious web pages.
• CVE-2026-0225 — Windows Defender Bypass (CVSS 6.5): Allows malicious files to bypass real-time protection. Elevated importance given widespread reliance on Defender as primary endpoint protection.

Interim Mitigations (If Immediate Patching is Not Possible)

If you cannot immediately apply the February updates to all Outlook installations, the following interim mitigations reduce exploitation risk:

• Disable the preview pane in Outlook: Navigate to View > Reading Pane > Off. This prevents exploitation via preview but users must still avoid opening suspicious emails.
• Enable Microsoft Defender SmartScreen: Provides partial mitigation for some exploitation attempts
• Block external email from untrusted senders at the gateway level: Limits the attack surface to already-trusted senders
• Deploy Enhanced Mitigation Experience Toolkit (EMET) compatible mitigations: Where supported, data execution prevention and address space layout randomisation can disrupt exploitation

These are interim measures only. The definitive fix is applying the February 2026 security update.

Patching Guidance

Tier 1: Emergency (Within 24 Hours)

• Apply February updates to all Microsoft Outlook installations (CVE-2026-0167)
• Apply to all Windows systems running Microsoft 365 Apps

Tier 2: Urgent (Within 72 Hours)

• Apply Windows Kernel EoP patch (CVE-2026-0145) to all Windows workstations and servers
• Apply Azure AD update to all Azure tenancies (CVE-2026-0201)
• Apply Microsoft Edge update to all browser deployments (CVE-2026-0213)

Tier 3: Standard Cycle

• Remaining Important-rated vulnerabilities through normal patch management process